Compare commits
35 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
9ba33124b5 | ||
|
1211d57e8c | ||
|
deb231a158 | ||
|
|
65d5ed337c | ||
|
|
d0db063667 | ||
|
|
0f3aed29b0 | ||
|
|
cff91463a9 | ||
|
c49d7bbb07 |
||
|
|
37b7696e18 |
||
|
|
b6958ea0f1 |
||
|
|
fb7e8af02d |
||
|
|
766e2e72c4 |
||
|
|
b2114083bc |
||
|
9376ad7cef | ||
|
4fe4bb10ff | ||
|
|
09de749476 | ||
|
|
18222fd21f | ||
|
|
800ae53822 | ||
|
|
42c03a171f | ||
|
|
0a6de2faa0 |
||
|
|
c0ee28ad0f |
||
|
|
2518497b73 |
||
|
|
0774c8f1f4 |
||
|
|
1e3a6672c9 |
||
|
|
0016135c46 |
||
|
|
fdf3e874a7 |
||
|
|
dcf127b024 |
||
|
|
e437259216 |
||
|
|
0e9558002d |
||
|
|
6b6fe26acb |
||
|
|
029e334ac6 |
||
|
|
09ee3421bf |
||
|
|
18fb4db2c3 |
||
|
|
5da44fd747 |
||
|
|
3d40f2c2af |
3 changed files with 178 additions and 101 deletions
77
.gitignore
vendored
77
.gitignore
vendored
|
|
@ -1,76 +1 @@
|
|||
/container-selinux-513572d.tar.gz
|
||||
/container-selinux-bcdcb9a.tar.gz
|
||||
/container-selinux-3bbbad5.tar.gz
|
||||
/container-selinux-b9809fa.tar.gz
|
||||
/container-selinux-ba28054.tar.gz
|
||||
/container-selinux-9e004af.tar.gz
|
||||
/container-selinux-ce95ddb.tar.gz
|
||||
/container-selinux-f7333f9.tar.gz
|
||||
/container-selinux-08bb6e0.tar.gz
|
||||
/container-selinux-8f8caa6.tar.gz
|
||||
/container-selinux-14f7c51.tar.gz
|
||||
/container-selinux-c81ea26.tar.gz
|
||||
/container-selinux-9027f8e.tar.gz
|
||||
/container-selinux-ed3082b.tar.gz
|
||||
/container-selinux-5212fea.tar.gz
|
||||
/container-selinux-a80afba.tar.gz
|
||||
/container-selinux-c5fd77f.tar.gz
|
||||
/container-selinux-c89e9b5.tar.gz
|
||||
/container-selinux-58324f3.tar.gz
|
||||
/container-selinux-81ff96c.tar.gz
|
||||
/container-selinux-a9260d4.tar.gz
|
||||
/container-selinux-e37e93d.tar.gz
|
||||
/container-selinux-de38c07.tar.gz
|
||||
/container-selinux-0620186.tar.gz
|
||||
/container-selinux-47e0448.tar.gz
|
||||
/container-selinux-b430a71.tar.gz
|
||||
/container-selinux-0b666c4.tar.gz
|
||||
/container-selinux-7fe0136.tar.gz
|
||||
/container-selinux-dca3b87.tar.gz
|
||||
/container-selinux-f9a30e8.tar.gz
|
||||
/container-selinux-d985665.tar.gz
|
||||
/container-selinux-8ba32a4.tar.gz
|
||||
/container-selinux-26c642a.tar.gz
|
||||
/container-selinux-96e58bf.tar.gz
|
||||
/container-selinux-599072a.tar.gz
|
||||
/container-selinux-231b213.tar.gz
|
||||
/container-selinux-d148550.tar.gz
|
||||
/container-selinux-dfcc97d.tar.gz
|
||||
/container-selinux-38a982b.tar.gz
|
||||
/container-selinux-2377c73.tar.gz
|
||||
/container-selinux-aece4ff.tar.gz
|
||||
/container-selinux-663e003.tar.gz
|
||||
/container-selinux-fd7d508.tar.gz
|
||||
/container-selinux-fd50128.tar.gz
|
||||
/container-selinux-bdc0137.tar.gz
|
||||
/container-selinux-55c7d4d.tar.gz
|
||||
/container-selinux-d248f91.tar.gz
|
||||
/container-selinux-d213769.tar.gz
|
||||
/container-selinux-701557f.tar.gz
|
||||
/container-selinux-97f8dfc.tar.gz
|
||||
/container-selinux-9b55129.tar.gz
|
||||
/container-selinux-1ecf953.tar.gz
|
||||
/container-selinux-284f9e7.tar.gz
|
||||
/container-selinux-d346375.tar.gz
|
||||
/container-selinux-bf5b26b.tar.gz
|
||||
/container-selinux-dfaf8fd.tar.gz
|
||||
/container-selinux-8ecc282.tar.gz
|
||||
/container-selinux-0407867.tar.gz
|
||||
/container-selinux-042f7cf.tar.gz
|
||||
/container-selinux-25277c8.tar.gz
|
||||
/container-selinux-c139a3d.tar.gz
|
||||
/container-selinux-452b90d.tar.gz
|
||||
/container-selinux-4e73492.tar.gz
|
||||
/container-selinux-5721d74.tar.gz
|
||||
/container-selinux-d7a3f33.tar.gz
|
||||
/container-selinux-a62c2db.tar.gz
|
||||
/container-selinux-99e2cfd.tar.gz
|
||||
/container-selinux-87fae85.tar.gz
|
||||
/container-selinux-5133af6.tar.gz
|
||||
/container-selinux-2c57a17.tar.gz
|
||||
/container-selinux-1362777.tar.gz
|
||||
/container-selinux-6f01752.tar.gz
|
||||
/container-selinux-1b655d9.tar.gz
|
||||
/container-selinux-484806a.tar.gz
|
||||
/container-selinux-21c2be6.tar.gz
|
||||
/container-selinux-5e1f62f.tar.gz
|
||||
/container-selinux-f958d0c.tar.gz
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
%global debug_package %{nil}
|
||||
|
||||
# container-selinux
|
||||
%global git0 https://github.com/projectatomic/container-selinux
|
||||
%global commit0 5e1f62fe319ebbef46bcabc8cc5e22d209411dda
|
||||
%global git0 https://github.com/containers/container-selinux
|
||||
%global commit0 f958d0cee4099f79890247ec64b57502b3acdb9f
|
||||
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
||||
|
||||
# container-selinux stuff (prefix with ds_ for version/release etc.)
|
||||
|
|
@ -16,18 +16,16 @@
|
|||
# Format must contain '$x' somewhere to do anything useful
|
||||
%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
|
||||
|
||||
# Relabel files
|
||||
%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/*podman* %{_bindir}/*runc* %{_bindir}/*crio %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_sysconfdir}/crio %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
|
||||
|
||||
# Version of SELinux we were using
|
||||
%global selinux_policyver 3.13.1-220
|
||||
%global selinux_policyver 3.14.3-53
|
||||
|
||||
# Hooked up to autobuilder, please check with @lsm5 before updating
|
||||
Name: container-selinux
|
||||
%if 0%{?fedora}
|
||||
Epoch: 2
|
||||
%endif
|
||||
Version: 2.82
|
||||
Release: 1.git%{shortcommit0}%{?dist}
|
||||
Version: 2.124.0
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2
|
||||
URL: %{git0}
|
||||
Summary: SELinux policies for container runtimes
|
||||
|
|
@ -70,37 +68,31 @@ rm -rf container-selinux.spec
|
|||
|
||||
%check
|
||||
|
||||
%pre
|
||||
%selinux_relabel_pre -s %{selinuxtype}
|
||||
|
||||
%post
|
||||
# Install all modules in a single transaction
|
||||
if [ $1 -eq 1 ]; then
|
||||
%{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
|
||||
%{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
|
||||
fi
|
||||
%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
|
||||
%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
|
||||
%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
|
||||
%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
|
||||
%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES > /dev/null
|
||||
if %{_sbindir}/selinuxenabled ; then
|
||||
%{_sbindir}/load_policy
|
||||
%relabel_files
|
||||
if [ $1 -eq 1 ]; then
|
||||
restorecon -R %{_sharedstatedir}/docker &> /dev/null || :
|
||||
restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
|
||||
fi
|
||||
fi
|
||||
%selinux_modules_install -s %{selinuxtype} $MODULES
|
||||
. %{_sysconfdir}/selinux/config
|
||||
sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
|
||||
matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
|
||||
|
||||
%postun
|
||||
if [ $1 -eq 0 ]; then
|
||||
%{_sbindir}/semodule -n -r %{modulenames} docker &> /dev/null || :
|
||||
if %{_sbindir}/selinuxenabled ; then
|
||||
%{_sbindir}/load_policy
|
||||
%relabel_files
|
||||
fi
|
||||
%selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
|
||||
fi
|
||||
|
||||
%posttrans
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
|
||||
#define license tag if not already defined
|
||||
%{!?_licensedir:%global license %doc}
|
||||
|
||||
|
|
@ -108,8 +100,168 @@ fi
|
|||
%doc README.md
|
||||
%{_datadir}/selinux/*
|
||||
|
||||
# Hooked up to autobuilder, please check with @lsm5 before updating
|
||||
%changelog
|
||||
* Sun Feb 10 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.82-1
|
||||
* Fri Jan 03 2020 Jindrich Novy <jnovy@redhat.com> - 2:2.124.0-3
|
||||
- implement spec file refactoring by Zdenek Pytela, namely:
|
||||
Change the uninstall command in the %%postun section of the specfile
|
||||
to use the %%selinux_modules_uninstall macro which uses priority 200.
|
||||
Change the install command in the %%post section if the specfile
|
||||
to use the %%selinux_modules_install macro.
|
||||
Replace relabel commands with using the %%selinux_relabel_pre and
|
||||
%%selinux_relabel_post macros.
|
||||
Change formatting so that the lines are vertically aligned
|
||||
in the %%postun section.
|
||||
(https://github.com/containers/container-selinux/pull/85)
|
||||
|
||||
* Wed Dec 11 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.124.0-2
|
||||
- bump to v2.124.0
|
||||
- autobuilt f958d0c for fedora
|
||||
- autobuilt c57a6f9 for centos
|
||||
|
||||
* Fri Dec 06 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.123.0-2
|
||||
- bump to v2.123.0
|
||||
- autobuilt 0b25a4a for fedora
|
||||
- autobuilt c57a6f9 for centos
|
||||
|
||||
* Sun Oct 27 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.119.1-2
|
||||
- bump to v2.119.1
|
||||
- autobuilt 2ecb2a8 for fedora
|
||||
- autobuilt c57a6f9 for centos
|
||||
|
||||
* Thu Oct 24 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.119.0-2
|
||||
- bump to v2.119.0
|
||||
- autobuilt b383f07 for fedora
|
||||
- autobuilt 42087be for centos
|
||||
|
||||
* Fri Oct 11 2019 RH Container Bot <rhcontainerbot@fedoraproject.org> - 2:2.118.0-2
|
||||
- bump to v2.118.0
|
||||
- autobuilt 79bdcb5 for fedora
|
||||
- autobuilt 42087be for centos
|
||||
|
||||
* Fri Sep 20 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.117-1
|
||||
- Add label for /usr/bin/crun
|
||||
|
||||
* Thu Sep 5 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.116-1
|
||||
- Don't let container_runtime_t transition to svirt domains.
|
||||
|
||||
* Wed Aug 21 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.115-1
|
||||
- Allow containers to execmod files on fusefs_t
|
||||
|
||||
* Mon Aug 19 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.114-1
|
||||
- Allow containers to settatr on /proc/self/ lnk_files
|
||||
- Allow containers to remount /proc
|
||||
|
||||
* Fri Aug 9 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.113-1
|
||||
- Allow containers to name_bind to rawip_sockets.
|
||||
|
||||
* Thu Aug 8 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.112-1
|
||||
- Allow containers to use fusefs_t entrypoint
|
||||
- Dontaudit attempts to setattr on devicenodes.
|
||||
|
||||
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.111.0-3.1.dev.git9a75deb
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Thu Jul 18 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.111.0-2.1.dev.git9a75deb
|
||||
- bump to 2.111.0
|
||||
- autobuilt 9a75deb
|
||||
|
||||
* Wed Jul 10 2019 Lokesh Mandvekar <lsm5@fedoraproject.org> - 2.110.0-1.1.dev.git544d71f
|
||||
- bump to v2.110.0
|
||||
- hook up to autobuild
|
||||
|
||||
* Mon Jul 8 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.109-1
|
||||
- Allow containers to accept connections on all socket types
|
||||
- Allow containers to connect to gssproxy stream sockets if added to container
|
||||
|
||||
* Fri Jun 14 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.107-1
|
||||
- Allow containers to manipulate Onload files.
|
||||
|
||||
* Tue Jun 11 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.106-1
|
||||
- Allow all unconfined domains to manage unlabeled keyrings
|
||||
- Add labeling for kubernetes pods
|
||||
|
||||
* Mon Jun 3 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.104-1
|
||||
- Set proper labeling for container volumes in SilverBlue
|
||||
|
||||
* Fri May 17 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.103-1
|
||||
- Set proper labeling for container volumes
|
||||
|
||||
* Sun May 12 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.102-1
|
||||
- Allow all container domains to be entered from container_file_t
|
||||
|
||||
* Fri May 3 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.101-1
|
||||
- Allow containers to read rpm cache and rpm databse
|
||||
|
||||
* Tue Apr 23 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.100-1
|
||||
- Allow containers running as spc_t to create unlabeled_t kernel keyrings
|
||||
|
||||
* Mon Apr 22 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.99-1
|
||||
- Fix labeling on /var/lib/containers/storage/overlay-layers,images to be sharable.
|
||||
|
||||
* Mon Apr 15 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.98-1
|
||||
- Allow iptables to append to container_file_t
|
||||
|
||||
* Fri Apr 12 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.97-1
|
||||
- Allow containers to read/write sysctl_kernel_ns_last_pid_t
|
||||
- Allow containers to manage fusefs sockets and named pipes
|
||||
|
||||
* Thu Apr 4 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.96-1
|
||||
- Allow containers to read/write sysctl_kernel_ns_last_pid_t
|
||||
|
||||
* Mon Apr 1 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.95-1
|
||||
- Allow containers to create fusefs sockets and named pipes
|
||||
|
||||
* Thu Mar 28 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.94-1
|
||||
- Allow init_t to manage container content
|
||||
- Allow container domains to create fifo_files on fusefs file systems
|
||||
- Add boolean to allow containers to use ceph file systems
|
||||
|
||||
* Tue Mar 26 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.91-1
|
||||
- Allow container runtimes to create unlabeled keyrings
|
||||
|
||||
* Wed Mar 20 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.90-1
|
||||
- Allow containers to mount and umount fuse file systems. This will allow us
|
||||
- to use buidlah within a user namespace separated container.
|
||||
|
||||
* Sat Mar 9 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.89-1
|
||||
- Allow all container domains to have container file types entrypoint
|
||||
- Add new release to fix issues with udica
|
||||
- Allow container_runtime_t to dyntransition to container domains
|
||||
|
||||
* Sat Mar 09 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.89-5.git2521d0d
|
||||
- bump to 2.89
|
||||
- autobuilt 2521d0d
|
||||
|
||||
* Thu Mar 07 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.88-4.git5c98b56
|
||||
- bump to 2.88
|
||||
- autobuilt 5c98b56
|
||||
|
||||
* Wed Mar 06 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.87-3.git2c1a2ab
|
||||
- autobuilt 2c1a2ab
|
||||
|
||||
* Sat Mar 02 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.87-2.git891a85f
|
||||
- bump to 2.87
|
||||
- autobuilt 891a85f
|
||||
|
||||
* Fri Mar 1 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.86-1
|
||||
- Allow unconfined user and services to dyntrans to container domains, needed for CRIU
|
||||
- Allow containers exectue hugetlb files.
|
||||
|
||||
* Thu Feb 28 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.85-1
|
||||
- More allow rules to allow containers to run within containers
|
||||
|
||||
* Thu Feb 28 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.84-1
|
||||
- More allow rules to allow containers to run within containers
|
||||
|
||||
* Tue Feb 26 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.82-2.git5e1f62f
|
||||
- bump to 2.82
|
||||
- autobuilt 5e1f62f
|
||||
|
||||
* Mon Feb 25 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.83-1
|
||||
- Allow containers to mounton cgroup and container_file_t
|
||||
|
||||
* Sun Feb 10 2019 Dan Walsh <dwalsh@fedoraproject.org> - 2.82-1.nightly.git5e1f62f
|
||||
- Allow confined users to use containers
|
||||
|
||||
* Fri Feb 08 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 2:2.80-3.git21c2be6
|
||||
|
|
|
|||
2
sources
2
sources
|
|
@ -1 +1 @@
|
|||
SHA512 (container-selinux-5e1f62f.tar.gz) = 8184e4191cbce80e8ecf65f82e64f6b85eeda0b7b958be099b97100aaa78c71e3d0adec642eafb7e58037ba0a5b0452da7674d7e6c02a8f3c125f67629425ea7
|
||||
SHA512 (container-selinux-f958d0c.tar.gz) = 88a4ccf596233f293118e516bafee8d758e669f292c80e8b25b1a8df956ef0e14e36cb61b53f83b20fc68e9cffe8b100d792197ea311418f11169a437c5893d2
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue